EQUINIX WHITE PAPER

Equinix.com

SMARTKEY™ SECURITY OVERVIEW DOCUMENT

TABLE OF CONTENTS | 2

TAB

LE O

F C

ON

TEN

TS

Digital transformation of the enterprise ....................................................... 3

Enterprise IT’s responsibility in the cloud .................................................... 5

Equinix SmartKey ........................................................................................ 9

Summary ................................................................................................... 12

DigiTAL TrANSFOrmATiON OF ThE ENTErpriSE | 3

Digital transformation is top of mind for today’s enterprise CIO. It is also the main driver of rapid adoption of cloud technologies across the spectrum, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Enterprises are adding cloud services to embrace new business models, adding on-demand resource capacity to support business growth and expanding geographically to better serve their business population centers.

The numbers are staggering. From a global perspective, Forrester estimates that the public cloud market will grow to $178B in 2018, up from $146B in 2017—that’s a 22% compound annual growth rate. But more importantly for the enterprise, Forrester also predicts that “In 2018, we’ll cross the significant 50% adoption milestone, and cloud applications, platforms and services will continue to radically change the way enterprises compete for customers.”1

This tremendous growth and opportunity also introduces a significant downside because data and applications no longer reside solely in the safety and security of the corporate data center. Instead, data and applications are spread across public and private clouds. Cloud computing enables truly transformational efficiencies, but it also opens the door to new threats and heightened risk levels. The result is that IT security and IT operations teams must adopt a new paradigm to protect data and applications wherever they are—inside the data center, on public or private clouds or in transit between all of them.

If this isn’t complicated enough, adoption of cloud services across public and private clouds is just a start. As companies start to grasp the use of hybrid cloud infrastructures, leading organizations recognize an even bigger shift on the horizon. Those leaders foresee that the ultimate benefit to business is to move the creation and processing of data all the way out to the digital edge. According to Gartner, “Around 10% of enterprise-generated data is created and processed outside a traditional centralized data center or cloud.” By 2022, Gartner predicts, this figure will reach 75%.2

1 Forrester, “Forrester’s Predictions 2018: Cloud Computing Accelerates Enterprise Transformation Everywhere”2 Smarter with Gartner, “What Edge Computing Means for Infrastructure and Operations Leaders,” October 3, 2018;

https://www.gartner.com/smarterwithgartner/what-edge-computing-means-for-infrastructure-and-operations-leaders/

DIGITAL TRANSFORMATION OF THE ENTERPRISE

DigiTAL TrANSFOrmATiON OF ThE ENTErpriSE | 4

gartner predicts 75 %of Data Creation moving to the Edge by 2022

20222018

10% 75%

Note: This graphic has been created by Equinix based on Gartner research.

Shifting to the cloud brings new risks. Data and applications become more accessible to attack from multiple vectors. As a result of cloud movement, the potential for data exposure is high. And although cloud providers tend to have good security for the aspects of the stack that they consider their responsibility, the ultimate responsibility for protecting data in the cloud lands squarely with the organization’s IT team.

In the most recent version of “The Treacherous Twelve: Cloud Computing Top Threats” from the Cloud Security Alliance, the number one concern of IT security professionals was data breach.3 Data breaches have significant consequences, negatively impacting a company for years to come. Breaches erode customer trust, damage the brand, get leaders fired and cost enterprises large sums of money.

3 Cloud Security Alliance, “The Treacherous Twelve: Cloud Computing Top Threats in 2016,” Feb. 2016; https://cloudsecurityalliance.org/group/top-threats

ENTErpriSE iT’S rESpONSiBiLiTy iN ThE CLOuD | 5

ENTERPRISE IT’S RESPONSIBILITY IN THE CLOUD

In 2017 five major breaches dominated the news and garnered industry attention. Yet according to Risk Based Security’s “2017 Data Breach QuickView Report,” the problem is even more widespread around the world. More than 5,200 breaches were recorded globally in 2017, surpassing the previous high in 2015 by nearly 20%. In addition, the number of records compromised also surpassed all other years, with more than 7.8 billion records exposed—a 24.2% increase over the previous high in 2016 of 6.3 billion.4

Although cloud service providers (CSPs) promote their highly secure environments, they take responsibility for only about half of the equation. CSPs embrace a model of shared responsibility: they focus on the security “of” the cloud, with the customer responsible for the security “in” the cloud. This means that CSPs look after security of the hardware layers, physical access to data centers and connectivity between those components. What they don’t manage or secure are the operating systems, the configurations of networks and firewalls, the platforms, the applications, the data or the encryption of those elements. The security “in” the cloud, as well as across different clouds, is the responsibility of the enterprise IT team.

With this new paradigm, enterprise security teams must shift their thinking to adapt to a new landscape where data simultaneously exists in data centers, private clouds and across multiple public clouds. In its “Treacherous Twelve” report, the Cloud Security Alliance recommends that “The best protection against data breach is an effective security program. Two important security measures that can help companies stay secure in the cloud are multifactor authentication and encryption.” Yet for most IT teams, the challenge lies in securing the encryption keys while meeting the goals of the organization.

Although there are several areas of security concern in the cloud, this white paper will focus on data security. Today’s evolving IT environment is a new world, and enterprise IT teams must now solve for several data security use cases, with increasing risk. These use cases include:

• Encrypting data at rest to protect databases, data lakes, data warehouses and general data storage.

• Encrypting data in motion (SSL/TLS), enhancing the trust boundary that is easy to use, and with low-latency access to protect web servers, VPN servers and proxy.

• Cloud-neutral key management in multicloud environments, enabling an organization to efficiently control encryption keys and data protection across AWS, Microsoft Azure, Google Cloud, IBM Cloud and other cloud platforms.

• Public key infrastructure (PKI) reducing operational complexity and enhancing security and visibility by provid-ing PKI CA, secure manufacturing, code signing, document signing and similar features.

4 Risk Based Security, “2017 Year End Data Breach QuickView Report”; https://pages.riskbasedsecurity.com/2017-ye-breach-quickview-report

ENTErpriSE iT’S rESpONSiBiLiTy iN ThE CLOuD | 6

introducing Key management as a Service for enterprise encryption programsResearch suggests that encryption and key management are highly effective ways to protect data in the cloud. And since encryption is only as strong as the security of the keys, protection of encryption keys must fundamentally change to support new-world use cases. The solution is to adapt centralized key management to support the use cases across public, private, hybrid and multicloud environments. To accomplish this, keys must be maintained in a cloud-agnostic way outside the boundaries of the clouds themselves, with the keys in close proximity to the data to ensure speedy access.

The 451 Research publication “Pathfinder Report: Key Management as a Service,” highlights the need for an independent key management service. The report explains that “An independent key management service gives you the flexibility to shift workloads between on-premises data centers and cloud resources while controlling your keys, abiding by compliance guidelines and establishing predictable performance.”5

And although the concept of Key Management as a Service is relatively new, the complexity, security requirements and the need for global proximity to clouds and ecosystems results in 451 Research’s conclusion that “Key management as a service is a concept whose time has come. Unless you are in the security industry, you are not in business to manage encryption keys across multiple providers and locations. Our recommendation is to evaluate independent key management as a service, starting with on-premises data and then expanding into the cloud.”

Securing your data in the cloudUntil recently, companies have been using legacy hardware security modules (HSMs), combining hardware and associated software to provide key management and cryptographic functions. These functions include encryption, decryption, key generation and hashing. Unfortunately, the existing key management and HSM solutions that use proprietary hardware and software are no longer effective for the modern era. And they can’t support the new-world use cases described above.

Some enterprises are considering another option: key management services offered by CSPs. Although these offerings continue to evolve, this CSP-provided option puts security controls and key management services in the same environment as the data, which is contrary to best practices. Security programs are only as effective as the protection of the keys allows, and putting both on the same platform can give hackers access to explore multiple attack vectors that may help them gain control over those keys.

The best way to solve this problem is with a comprehensive solution that integrates HSM with the scalability and simplicity of SaaS as a component of a secure global platform. The solution should combine the best capabilities of unified key management with hardware security management to support a truly global scale where data can be protected anywhere the internet reaches. The solution must abide by security best practices and maintain separation of data from the encryption keys that unlock it. It should also be designed as a service, providing the necessary features of key management, signing, certificates, encryption, hashing, tokenization and support for custom code.

The solution exists today: Equinix SmartKey™ on cloud-neutral Platform Equinix®.

5 451 Research, “Pathfinder Report: Key Management as a Service,” Feb. 2018

ENTErpriSE iT’S rESpONSiBiLiTy iN ThE CLOuD | 7

Equinix SmartKeyPlatform Equinix is the interconnection platform for the world’s leading businesses, providing a simple, repeatable approach to creating a point of presence in relevant global locations and scaling an IT infrastructure more quickly to capture new growth and opportunity. It provides an expanding portfolio of building blocks (solutions and services), which include a global footprint; dense business, network and cloud ecosystems; interconnection solutions; and the ability to integrate data and analytics at the digital edge.

SmartKey is a global SaaS-based, secure key management and cryptography service offered on Platform Equinix. Powered by Fortanix, the solution protects data in public, private, hybrid or multicloud environments by simplifying provisioning and control of encryption keys. SmartKey provides cloud scalability, secure key storage, encryption and tokenization services. It addresses performance, as well as government, risk and compliance (GRC) requirements at the digital edge, close to clouds and carriers.

HQ BranchO�ce DataCenter

Internet

Private Cloud

BYOK

PLATFORM EQUINIX®

IaaS/Public Cloud Partners

Applications(ex. Containers, Blockchain)

Java

Microsoft

.net

JS

C++

SMARTKEY™via REST, PKCS#11, CNG, JCE, KMIP

The first Intel® SGX-based HSM as a Service

Secure, private, low-latency Connectivity to cloud providers

SmartKey takes a hybrid approach, providing the best features in hardware-based security combined with the simplicity, flexibility and scalability of a SaaS offering. The SmartKey solution resides on Platform Equinix on a highly secure infrastructure, keeping controls separate from the clouds and the data they unlock. The SaaS simplicity of SmartKey along with centralized management enables organizations to quickly realize value and improve their security posture.

ENTErpriSE iT’S rESpONSiBiLiTy iN ThE CLOuD | 8

CapabilitiesThe solution has been designed specifically to meet enterprise requirements. This includes intelligent geographic load balancing, resistance to site failure, centralized monitoring and management, as well as distributed low-latency key access.

SmartKey can be accessed publicly via the internet or privately via Equinix Cloud Exchange Fabric™ (ECX Fabric™) through a variety of secure interfaces, including RESTful APIs, PKCS#11, CNG, JCE and KMIP. Only with SmartKey can your applications securely access their keys through Platform Equinix. This means that key management communications never have to traverse the public internet, which greatly reduces the attack surface and maintains privacy between cloud applications and key management capabilities.

SmartKey has been designed as a highly resilient, distributed solution that ensures maximum availability. Each enterprise deployment begins with a three-cluster architecture on Platform Equinix. Each cluster is independent and made up of dozens of individual hardware nodes. The clusters reside in separate data centers to support a high-availability architecture and to minimize latency between the key manager and the applications. Keys are automatically replicated across all three clusters, eliminating a single point of failure. An intelligent load-balancing service automatically accesses the key management service closest to the requesting source, and if a cluster is unavailable, the service automatically routes the request to the next closest cluster.

The SmartKey architecture leverages open standards including KMIP, SAML/SSO, and PKCS#11, enabling broad adoption throughout the enterprise data center, as well as public and private clouds. Encryption standards include AES, RSA, HMAC and ECC Opaque objects to provide the highest levels of security. SmartKey can integrate with security information and event management solutions to enhance visibility into vulnerability management.

Tamper-proof audit logging keeps an accurate account of the activity for the SmartKey solution. The auditing is comprehensive and covers actions including but not limited to create, read, update and delete operations; login/logout by applications and users; all crypto operations and all key management operations.

EquiNix SmArTKEy | 9

SmartKey enables customers to retain complete privacy and control over their keys, enabling data sovereignty policies. This ensures that only authorized users gain access, and it keeps data private from third parties, including service providers and Equinix itself.

Maintaining the secrecy of keys is of utmost importance to the SmartKey solution. All customer keys remain encrypted at all times to prevent theft and eliminate attack vectors. The keys remain encrypted on disk, on the network and in memory. This architecture even protects the keys from bad actors, in the event that they gain physical access or compromise admin access to any component of the solution. This powerful combination of HSM features and software advances provides the highest levels of security to protect your controls, including the use of Intel® SGX enclaves.

Enterprise-grade security of intel SgxThe SmartKey solution includes key management, authentication, authorization and audit logging that are isolated and secured with Intel SGX enclaves.

The Intel SGX enclaves are a hardware-assisted trusted execution environment that provide the smallest possible attack surface: the CPU boundary. This specialized Intel architecture increases security even if the computer platform itself is compromised. Advantages of the Intel SGX approach include:

• Confidentiality and integrity are maintained even if privileged malware is present. This protection is enforced at the OS, BIOS, VMM or SMM layers, which means that secrets remain protected.

• Memory bus snooping, memory tampering and “cold boot” attacks against memory images in RAM are proac-tively prevented.

• Hardware-based attestation capabilities measure and verify valid code, credentials and sensitive data such as data signatures.

The net result is that Intel SGX enclaves enable the SmartKey solution to safely store secrets and protect data.

SMARTKEY™

Trusted Component SECUREENCLAVE

Data

Key

Untrusted Application

SGX

EQUINIX SMARTKEY

EquiNix SmArTKEy | 10

Advanced protection through encryption key hierarchyWhen at rest, keys are encrypted multiple times, with the final key completely controlled by you, the customer. This key hierarchy, or nesting of encryption, ensures that keys are highly secure and that outsiders cannot gain access.

Customer KeyCustomer Data

Device Master Key

SmartKey Service Key

Cluster Key

Unique Customer Secret

Key hierarchy on disk

protecting all four components is critical to encryption key securityThere are four areas of concern when it comes to maintaining secrecy of your enterprise’s encryption keys:

• The way that the applications communicate with the key manager.

• The storage of keys on hard drives or similar media.

• The storage of keys while in computer memory.

• The processing of keys and associated encryption tasks within the CPU.

Legacy HSM solutions typically address only two of the four areas of concern. They may use SSL between the requesting application and a web service used as part of the key management service. They may also protect the keys with encryption while at rest in the HSM storage. But they typically do not address protection of the computer memory or the execution space. Unfortunately, as cyberattacks become more sophisticated, leaving these areas of key management vulnerable increases the risk to organizations.

HSM

Application

RAM

Legacy HSM

Protected at Rest

Protected in transit

EquiNix SmArTKEy | 11

SmartKey provides security for all four areas of concern, including:

• Use of SSL for secure communications and the need for API keys and/or certificates.

• Encryption of keys when at rest on the hard drive.

• Encryption of keys when in memory.

• Advanced hardware-based protection when keys and encryption tasks are being processed by the CPU.

By encrypting communications, storage and memory and using Intel SGX enclaves for processing, the SmartKey solution provides a higher level of enterprise-grade security.

HDD

SGX (CPU)

RAM

SMARTKEY™HSM as a Service

Protection at Rest

Protection in use

Protection in transit

Protection in Memory

Enhanced hardware securityThe hardware security management portion of the solution includes a physical element that enhances security. The appliance chassis that runs the software is validated as within FIPS boundary. The appliance has a tamper-resistant and tamper-evident lid. It employs tamper detection and includes an automated response mechanism that can cause critical security parameters to be zeroized.

SmartKey is FIPS 140-2 Level 3 validated.6 By applying cryptographic isolation at the most granular application level, it enables fine-grained data protection with a hyperfocused trust boundary.

6 Footnote pending re: FIPS validation

SummAry | 12

With SmartKey, enterprises can protect data in public, private, hybrid or multicloud environments and simplify provisioning and control of encryption keys while keeping keys at the digital edge—in close proximity to the data. When SmartKey is accessed on Platform Equinix, enterprises can also securely integrate with clouds and digital business services by strategically applying the best practices of an Interconnection Oriented Architecture® (IOA®).

Maintaining the complete privacy of your data is central to the Equinix SmartKey solution. Only authorized users will have access to key materials, ensuring that neither CSPs, ecosystem partners nor Equinix employees themselves can gain access. This level of privacy helps defend against malicious insiders, government coercion, social engineering and provider administrators.

SUMMARY

About Equinix

Equinix, Inc. (Nasdaq: EQIX) connects the world’s leading businesses to their customers, employees and partners inside the most-interconnected data centers. In 52 markets across five continents, Equinix is where companies come together to realize new opportunities and accelerate their business, IT and cloud strategies.

In a digital economy where enterprise business models are increasingly interdependent, interconnection is essential to success. Equinix operates the only global interconnection platform, sparking new opportunities that are only possible when companies come together.

Equinix.com© 2018 Equinix, Inc.

Equinix, Inc. One Lagoon Drive Redwood City, CA 94065 USA Main: +1.650.598.6000 Email: info@equinix.com

Corporate HQ EMEA Asia-Pacific

Equinix (EMEA) BV Rembrandt Tower Amstelplein 1 1096 HA Amsterdam Netherlands Main: +31.20.754.0305 Email: info@eu.equinix.com

Equinix Hong Kong Limited 65/F International Commerce Center 1 Austin Road West Kowloon, Hong Kong Main: +852.2970.7788 Email: info@ap.equinix.com

WP_SmartKey_A4-EN | 286016 | v102418 | 1018 | Q218